If you're using virtualisation extensions such as VT-x or AMD-V, your CPU can already tell when virtualised code is executing and prevent such updates. I'd imagine the interrupts required would be passed to a virtual interrupt handler, rather than processed directly by the physical CPU.
–
PolynomialNov 29 '12 at 23:32

@HubertKario It's still possible for VMs to run privileged (ring 0) instructions - they're just handled by the VM software rather than the physical CPU. What they actually do depends on the implementation - I can imagine some VMs using ring 0 drivers to service them, which may pose some potential issues. This is all guesswork though, since we don't really know how most virtualisation products handle this kind of thing.
–
PolynomialNov 30 '12 at 6:52

1 Answer
1

Yes, I think it is safe to assume that a VM will prevent guests from updating the CPU microcode of the physical CPU.

Updating the microcode on an Intel CPU involves executing the WRMSR instruction, with MSR 0x79. This is a privileged instruction, and can only be executed when the CPU is in privileged mode (CPL=0).

The virtual machine monitor (VMM) should trap on all privileged instructions, including this one, and take appropriate steps to emulate it. While I haven't checked the code of any VMM, I would expect a reasonable VMM might refuse the update, or might ignore it, but no reasonable VMM should allow a guest to update the microcode of the physical CPU that the host is running on. It would be pretty surprising for a VMM to allow a guest to request a microcode update and to actually execute that request on the host CPU.

Updates to firmware of other hardware peripherals is a trickier question. The answer will depend upon how the VMM manages access to that hardware device.

If the hardware device is emulated or virtualized, then a reasonable VMM should prevent a guest from loading firmware updates into the device (in a similar way: loading a firmware update requires I/O to interact with the device, and a VMM should restrict I/O with the device).

However, if the VMM provides the guest with unrestricted direct access to the hardware device (i.e., direct assignment of the device to that guest), then I suspect that the guest might be able to load firmware updates, if the device permits it.

The virtualization strategy for hardware devices will be dependent on the specific VM you use; some VMs use emulation or virtualization, but some may also use direct assignment in some cases. I am not an expert on this subject and cannot speak authoritatively about it. If you are concerned, choose a VM that provides full virtualization or emulation of all devices, and does not use direct assignment to give a guest direct unrestricted access to any hardware peripheral.